Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1318
Views
0
Helpful
4
Replies

WCCP Vlan redirection

Rui Taveira
Level 1
Level 1

‎05-10-2012 10:11 AM

Hi,

I have an Ironport set up with my 6500 through WCCP.

It seems to be working ok, but I have a question.

Right now, I'm only redirecting a specific VLAN (let's say 40).

I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).

Is there a way to exclude this traffic?

Thanks in advance for any help.

Labels:
0 Helpful
4 Replies 4

sfiebran
Cisco Employee
Cisco Employee

‎05-12-2012 08:39 AM

Hi,

basically the router decides what to redirect. Within your e.g. access-list you can define what to redirect (and what not). Would you mind to include your wccp config parts?

-Stephan

0 Helpful

Rui Taveira
Level 1
Level 1
In response to sfiebran

‎05-15-2012 03:14 AM

This is the access-list I'm using.

Each line corresponds to a different VLAN.

Extended IP access list IRONPORT

    10 permit tcp 10.180.4.0 0.0.0.255 any (8 matches)

    20 permit tcp 10.180.2.0 0.0.1.255 any (3 matches)

    30 permit tcp 10.180.1.0 0.0.0.255 any

    40 permit tcp 10.180.11.0 0.0.0.255 any

    50 permit tcp 10.180.5.0 0.0.0.255 any

    60 permit tcp 10.180.6.0 0.0.0.255 any

    70 permit tcp 10.180.7.0 0.0.0.255 any

    80 permit tcp 10.180.8.0 0.0.0.255 any

    90 permit tcp 10.180.9.0 0.0.0.255 any

Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.

Is it best to just have this line on the interface connected to the router that leaves our LAN?

We have a MPLS network from our provider, that connects to remote sites.

Can I exclude this sites from inspection with "deny" commands on the access-list?

0 Helpful

Ken Stieers
VIP
VIP
In response to Rui Taveira

‎05-15-2012 04:17 AM

Yes, it would be best to put that on the port going to the router, though in that case, you want that traffic redirected on egress from the port, instead of ingress.

Yes, you can exclude traffic by using deny statements in the access list. In fact, if you move the redirect to the port, you'll want one to exclude traffic from the WSA from being redirected to itself.

Ken

0 Helpful

sfiebran
Cisco Employee
Cisco Employee
In response to Rui Taveira

‎05-15-2012 05:01 AM

As the router is always the source for the redirection, I would suggest to exclude the according IP addresses from being redirected in the fist place (access-list modified to deny for the particular traffic).

Another way is to use the proxy bypass list which will make advantage of the WCCPv2 protocol to return the SYN packet to the router to indicate to bypass the entire session afterward directly at the router (this is all implemented inside wccp, so nothing to configure further). This solutions is probably more convenient to maintain, however creates a little overhead as the initial SYN packet has to go back and forth to the WSA proxy.

I would advice to only use IP addresses on the Proxy Bypass list as it will be anyway only used to build an IP access-list.

In your case you would have to exclude each other's vlan subnets to assure its being router directly.

-Stephan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents